Agenda Item

 

 

 

 

Audit and Governance Committee

 18 January 2023

 

Report of the Head of Internal Audit

 

Internal Audit Plan Consultation

 

Summary

1          The purpose of the report is to seek the Audit and Governance Committee’s initial views on priorities for internal audit work during 2023/24.

Background

2          Internal audit provides independent and objective assurance and advice on the council’s control processes. It helps the organisation to achieve its objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.

3          The Public Sector Internal Audit Standards (PSIAS), and the council’s audit charter, require internal audit to draw up an indicative programme of work based on an assessment of risk. The standards require internal audit to independently form a view on the risks facing the council. However, they also require the opinions of the Audit and Governance Committee and senior council officers to be taken into account when forming that view.

4          Consultation with officers on proposed 2023/24 audit work will be undertaken over the next two months. A draft internal audit work programme will be brought to this committee in March 2023.

5          The purpose of this report is to seek the committee’s initial views on priorities for internal audit work over the coming year.

2023/24 internal audit work programme

 

6          A flexible approach to audit planning has been in place since 2021/22. Under this approach, an indicative long list of potential areas of audit focus is developed at the start of the year.

7          The long list includes all areas that are likely to be important for audit in the year. However, it is over-programmed (ie it includes more work than is possible to complete). Actual work to be undertaken is selected from the long list throughout the year based on an ongoing assessment of risks and priorities.

8          This approach allows us to keep upcoming work under review, to ensure we are targeting audit resources to those areas most needed. It also builds in flexibility, by enabling us to respond quickly to emerging issues or to commence work on other areas of importance when risks and priorities change. The long list is kept under continuous review during the year. Potential audits are added or removed from the programme as required.

9          The indicative programme is informed by a number of factors such as the council’s risk registers, relevant national issues and our wider audit knowledge, including the results of recent audit work. The council’s external auditors are also consulted to avoid possible duplication of work programmes, and to maximise the overall benefit of independent audit activity. The indicative programme will be presented to the Audit and Governance Committee for approval on 15 March 2023.

10      A specific public sector requirement for internal audit is that the risk-based plan (or programme) must take into account the requirement to produce an annual internal audit opinion. Internal audit work programmes cover a range of risk areas to ensure that the work undertaken enables Veritau to meet the requirement to provide an overall opinion on the governance, risk management, and control framework operating in the council.

11      Veritau has defined 11 key areas where we require assurance during the course of the year in order to provide that opinion, as follows:

      Strategic planning

      Organisational governance

      Financial governance

      Risk management

      Information governance

      Performance management and data quality

      Procurement and contract management

      People management

      Asset management

      Programme and project management

      ICT governance

12      Functionally, the indicative programme will be structured into a number of sections, as set out below. In deciding the work to be included in each section, consideration is given to the key assurance areas listed at paragraph 12 to ensure there is appropriate coverage.

      Strategic / corporate & cross cutting– to provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.

      Technical / projects – to provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.

      Financial systems – to provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised.

      Service areas – to provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.

      Other assurance areas – an allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management.

      Client support, advice & liaison – work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff.

13      Figure 1 below includes initial ideas on areas for consideration for audit in 2023/24. These are included to prompt discussion. They are not intended to be a definitive or complete list of areas that could be reviewed or that will be included in the work programme.

14      The committee’s views are sought about areas they consider a priority for internal audit coverage during 2023/24. This may include particular areas listed in figure 1 that the committee think should be a high priority; or any other areas which should be considered for audit.  

Figure 1 – Risk areas to consider for Audit in 2023/24

Area

 

Possible Work

Strategic / corporate & cross-cutting

·         Medium term financial planning and budgeting, budget management, savings plans, commercialisation and investment, financial resilience

·         Cipfa Financial Management Code consulting assignment

·         Areas of the council’s corporate governance framework (eg schemes of delegation, constitution, transparency)

·         Strategic planning (eg policies and procedures, the Council Plan)

·         Risk management, business continuity, disaster recovery plans, and insurance arrangements

·         Performance management and data quality

·         Partnership working

·         Procurement and contract management (including supply chain resilience third party risk, due diligence, Modern Slavery Act compliance)

·         Ethics and organisational culture

·         HR and organisational development / workforce planning (eg absence management, staff wellbeing, recruitment and retention, agency staff, training and development / talent management)

·         Premises physical security and asset management

·         Information governance and data protection – compliance, management of information assets, data sharing agreements, data storage arrangements, information security, training

·         Environmental sustainability, climate change and waste – York Climate Change Strategy and related areas (carbon reduction, energy management, recycling, climate change resilience)

·         Health and safety

 

Technical / projects

·         IT strategy and governance (such as information security policies, IT risk management, change management, supporting service development and roles and responsibilities)

·         IT information security (such as server configuration, patch management and operating system configuration)

·         IT services (such as help desk, incident management and network availability)

·         Cybersecurity 

·         Digitalisation / automation

·         Overall corporate project management arrangements and project risk management

·         Support to, and review of, specific key projects

 

Financial systems

·         Payroll / personnel

·         General ledger, debtors (including debt recovery and enforcement processes), creditors, cash income management

·         Capital accounting and assets

·         Treasury management

·         Council Tax / NNDR 

·         Housing rents

·         Housing benefits

 

Service areas

·         Adult and children’s social care – budget management, workforce planning, case management, high-cost placements, referrals and assessments, direct payments, procurement, quality assurance, safeguarding, capacity, contract monitoring, deprivation of liberties

·         Special Education Needs and Disability (SEND) – EHC plans (processes), planning, working with partners, funding

·         Public health, including management of contracts

·         Housing strategy, use of temporary accommodation and homelessness

·         Other risks relating to specific service areas (such as schools, planning and enforcement, local plan strategy, waste collection and recycling, highways, parking, licensing, community safety, environmental health, economic development, domestic violence strategies)

·         Contract management / client arrangements (eg Explore, YMT)

·         Building services / housing repairs

 

 

Consultation

 

15      This report is part of the ongoing consultation with stakeholders on priorities for internal audit work in 2023/24.

Options

16      Not relevant for the purpose of the report.

Analysis

17      Not relevant for the purpose of the report.

Council Plan

18      The work of internal audit supports overall aims and priorities by promoting probity, integrity and honesty and by helping to make the council a more effective organisation. 

Implications

19      There are no implications to this report in relation to:

·                  Finance

·                  Human Resources (HR)

·                  Equalities

·                  Legal

·                  Crime and Disorder

·                  Information Technology (IT)

·                  Property

Risk Management Assessment

20      The council will fail to comply with internal audit standards if appropriate consultation is not undertaken on the content of risk based audit plans.

Recommendations

21      The committee is asked to;

-              Comment on the priorities for internal audit work for 2023/24. 

Reason

To ensure that the views of the committee are taken into account when deciding on work to be included in the internal audit work programme.

 

 

 

 

 

 

Contact Details

Author:

Chief Officer Responsible for the report:

 

Max Thomas

Head of Internal Audit

Veritau Limited

Telephone: 01904 552940

 

 

 

Bryn Roberts

Director of Governance

Telephone: 01904 555521

 

 

Report Approved

ü

Date

05/01/2023

 

Specialist Implications Officers

 

Not applicable

 

Wards Affected:  Not applicable

All

ü

 

 

For further information please contact the author of the report

 

Background Papers

 

None

 

Annexes

 

None